1. 2

    There is a tool called Lorri which seems like something you should really look at:

    https://www.tweag.io/blog/2019-03-28-introducing-lorri/

    “When your channel updates, lorri watch automatically begins re-evaluating your project’s dependencies in the background, outside of your work shell. If you enter the shell before the evaluation completes, the last completed evaluation is loaded instead. When the new one is ready, your environment updates automatically.”

    1. 1

      It would be useful to know who is behind this…

      1. 1

        Well they share two initial letters with a certain organization based in Fort Meade, MD…

      1. 2

        One thing sorely missing from Nest in order to bootstrap is the ability to download a tarball/zipfile/etc.

        I see a nix file, so eager to try it out but I cannot get anu without having anu…

        1. 3

          Here you go:

          $ curl https://static.crates.io/crates/anu/anu-1.0.0-alpha.crate | tar -tzvf -
          
          1. 2

            Here’s a nix expression (that delegates to cargo): https://github.com/NixOS/nixpkgs/pull/102968

            1. 1
            1. 1

              I’ve always wanted to try NixOS, but I don’t want to taint my computer with systemd.

              I’ll try it whenever somebody forks it and removes the systemd dependency or they release a systemd-free version.

              /shrug

              1. 5

                I don’t think that will happen, as NixOS uses several good features from systemd. You can also just try Nix, for handling packages and dependencies for your projects.

                1. 8

                  There was a talk at NixCon about abstracting out services in NixOS:

                  https://cfp.nixcon.org/nixcon2020/talk/TW79FU/

                  Allowing us to reuse the service configuration for launchd on macOS or various alternatives like supervisord.

                  1. 1

                    I might try the Nix sometime. But for now it looks like I can safely cross NixOS off the list of distros to try.

                    1. 17

                      If blind hatred of systemd here is what is holding you back, maybe try broadening your horizons a bit.

                      NixOS uses it to good effect.

                      1. 5

                        Did you really just assume that my hatred of systemd is blind?

                        That I, in no way, have a rational disgust for this software?

                        systemd is a horrible piece of software for many reasons:

                        1. The undeniable feature creep. While some people actually enjoy the features brought in from it (boot manager, network manager, login manager, home manager, etc), I find them to be nothing but bloat. An init system should be just that. An init system. Not <insert an exaggerated amount of functions here>.

                        2. It is slow. Slow to shutdown, slow to boot up, etc. Here are actual timed reboots from my machine using 3 init systems. systemd (2m3s), OpenRC (11s), Runit (7s). 2m3s vs 7s, which would you choose?

                        3. Due to the feature creep, there is a larger attack service for bugs and security vulnerabilities. And there are security issues with systemd.

                        4. This is the one that bothers me the most. It’s almost as if the dev(s) are completely oblivious or at least ignorant to the feature creep and security issues.

                        5. A lot of the time, we don’t even get the choice to not use systemd. There a lot of packages (and the list grows every day) of packages with a hard dependency of systemd, So unless you modify that program yourself, you literally won’t be able to use it unless you succumb to using systemd.

                        6. There are privacy issues with it. For example the hardcoding of Google’s DNS. “It’s a fallback”, that’s no excuse. At some point someone will be using that and their privacy will be ruined.

                        Now, some of these you could call nitpicks (like the reboot times). However I find issues 1, 4, 5, and 6 just unacceptable. Those are what absolutely keep me from using it.


                        This is my abridged list of issues, but I can make an even larger wall of text if you want me to.


                        And I really don’t appreciate your tone. You sound very stuck up and pretentious telling me to “broaden my horizons”.

                        On top of the fact that you just assumed that I had no reason to hate systemd. Honestly.

                        All you had to do was ask, “hey, may I know what about systemd you hate? why is it bad?”.

                        But no, you decide to insult me with your stupid response.

                        1. 10

                          You don’t have to use it forever, or even agree with its implementation! You don’t have to trash your daily driver!

                          But my dude, not even giving it a shot because of your issues with systemd (quite aside from whether or not those are valid, which I mostly think they are…I rather despise it for other reasons) is cutting off the nose to spite the face–especially since you also don’t want to try Guix.

                          I meant broadening your horizons in the literal sense: there is some really interesting stuff happening in those ecosystems, and even a brief foray into them may be really useful and neat–or it might not. But, like, if you refuse to even try because of NixOS’s use of systemd, you’re letting those developers harm you twice.

                          1. 4

                            I apologize for my rudeness. At the time I had literally just woken up, haven’t had any coffee or cigarettes, and the first thing I saw was someone telling me that I have a blind hatred and that I need to broaden my horizons.

                            Surely you can admit that from my perspective, that would be at least a little irritating.

                            I can agree with what you’re saying, but personally I can’t do it. Using an OS which uses systemd would be justifying it. And I can’t allow that. That would be hypocritical and unjust.

                            “Be the change you want to see”: By refusing to use anything with systemd, I as an individual am giving less power to it and it’s devs.

                            1. 2

                              No sweat–I probably could’ve found a gentler phrasing than “broaden your horizons”. My apologies!

                  2. 3

                    What about Guix?

                    1. 2

                      No thank you. Guix is a rant for another time, but trust me when I say I hold a disain for it.

                      1. 7

                        I’d like to hear that rant some time, out of curiosity.

                        1. 2

                          I second this, even just a rought draft would do.

                          1. 1

                            Maybe sometime.

                            When I rant, it messes my whole day up. I’m still seething about the “blind hatred of systemd” thing.

                            1. 1

                              Seconded. This person seems to have interesting opinions.

                        2. 3

                          You can use Nix and nix packages without systemd… nix is a package management system, and does not itself run any services.

                          1. 1

                            I was mainly interested in the OS, not the package manager.

                            But at some point I plan on trying Nix. If I like it enough, I might run NixOS in a VM.

                          2. 1

                            You can use systemD free version PKGSRC

                            1. 9

                              pkgsrc completely lacks the desired-state, functional language, and system management components of nix. It’s an apples and oranges comparison.

                              1. 1

                                Can you demonstrate how I can install multiple different versions of the same package without breaking the system install via pkgsrc?

                                As well as defining everything in a declarative way? I already use the “systemd free version” known as macos nix package manager. And I can do the same on any linux.

                                Also will need a way to do things like nix overlays which let me add custom patches to package builds.

                                Drive by comments like this without explaining how PKGSRC replaces or can be an alternative aren’t very useful. And as a note, I’ve set a super high bar for PKGSRC here but thats due to I get all of the above (and more) for free from the nix package manager. Nixos adds some more neat bits but ultimately its all on top of nix.

                            1. 2

                              I think this (by all accounts) looks like a terrible feature that needs to be buried. Cool URI’s don’t change, and cool URI’s should not be changed by someone merely delivering email.

                              If such a feature would be attractive to individual users, Google could instead use javascript to rewrite URL’s in the browser ‘live’. By forever rewriting the body of the mail Google creates an eternal depency on a temporal service. A hundred years from now, the mail archive you dig up would contain dead links. That is not robust. Also, visiting the link now is time stamped, even when it is forwarded to non-Google users. I’ve seen the Microsoft link checked URL even show up on websites, if people do not carefully copy and paste into e.g. their CMS.

                              From a privacy perspective I find such behaviour not acceptable.

                              1. 1

                                Is there code for this editor somewhere available?

                                1. 6

                                  Why is Atlas creating/maintaining this browser? There’s a lot of trust that a user imparts on a web browser when they choose to use it, and I’m cautious of companies with no clear source of revenue deciding to release free (as in beer and freedom) browsers.

                                  1. 7

                                    They are working on a grant from NLnet, see https://nlnet.nl/project/NyxtBrowser :

                                    This project was funded through the NGI0 Discovery Fund, a fund established by NLnet with financial support from the European Commission’s Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 825322. Applications are still open, you can apply today.

                                    It used to be called Next, but was renamed a few months ago: https://lobste.rs/s/ijgvlq/next_browser_is_now_nyxt

                                    1. 1

                                      Indeed, that has been a very valuable grant for us and has kept us going. We are very grateful and thankful for NLnet!

                                    2. 2

                                      Agreed. I was under the impression that ‘atlas’ was just the name given to the group of people developing the browser. Now, looking more closely, it looks to be an actual company. Moreover, they claim to be ‘Open by Design’ and to have been around for over a decade; despite this, their github only contains nyxt (and a couple of associated libs). Would appreciate if @jmercouris could clear this up.

                                      1. 1

                                        We have not been around as a company for more than two years. The statement refers to our experience as engineers. For more information about our revenue model, see my post response to “craftyguy”.

                                      2. 2

                                        Why is Atlas creating/maintaining this browser?: It started because we wanted Emacs as a browser, from there on, I kept working on it and it kept growing. Why is it open source? Because I have been using open source software for a long time, and it is the only software that you can really trust.

                                        Revenue model: We plan on creating some applications using Nyxt that will hopefully be appealing to users. For example, we want to build an email client, IRC client, etc. These will be also open source, but for sale (available for free for those who cannot afford it). Before that, we were doing consulting work to support the development of Nyxt.

                                        As per can you trust us? You don’t have to trust us, the source is all there for your scrutiny (and always will be)!

                                      1. 7

                                        Interesting read, happy to see @arp242’s work being recognised.

                                        Also, for those interested in the topic: do have a look at https://offen.dev … another awesome new option that is fully free and open source.

                                        1. 5

                                          I’m aware of offen, mostly because both offen and GoatCounter have a grant from NLnet NGI0. When I looked at it back in January it seemed in very early stages, but haven’t kept up. I’ve been planning to get in touch to discus some thoughts/approaches and see what we can learn from each other, but haven’t gotten around to that yet 😅

                                          At any rate, Ben emailed me a few days ago asking for comments on his draft (which was published pretty much as-is), and here are some comments I sent back, which may be of interest here as well:


                                          it’s a little less slick-looking than some

                                          Yeah, this is a Work-In-Progress thing… I looked at a lot of options and eventually settled on d3.js. I have some prototype code, and I’ll finish it at some point. Just a matter of time/priorities.

                                          My original plan was to make it work fully without JavaScript, but I’ve since let that go for various reasons. This is why it uses flexboxes for the charts, which works without JS and actually works surprisingly well.

                                          The biggest downside is that it looks a bit meh and that the large DOM size doesn’t perform too well in some cases.

                                          The tool supports all the basic analytics

                                          One of the big future goals of GoatCounter is to go beyond that and offer more advanced statistics useful for more serious business use. e.g. there’s a PR for bounce rates already (which works, but first want to refactor some stuff). This was one of my frustrations with e.g. Fathom and SimpleAnalytics which were already around, but seemed “stuck” in “too simple” analytics.

                                          But it’s not there yet… Turns out doing stuff on your own chews up a lot of time 😅 Turns out the biggest challenges here is UI design rather than the code. I think I spent more time trying to find a good way to display the bounce rates than actually implementing it.

                                          The self-hosted version is also straight-forward to set up using the Linux binaries or by building from source =E2=80=94 it took me less than 10 minutes to build from source and set it up locally with the default SQLite database configuration. In contrast to Plausible (discussed below), it was much lighter to install, it didn’t download anything, and it started up almost instantly.

                                          One (AFAIK somewhat unique) aspect of GoatCounter is that it’s completely self-contained: you never need anything other than GoatCounter to run it if you don’t want to, other than a SQLite DB file or PostgreSQL connection (no way around that).

                                          This is intentional and a property I rather like, as running a lot of self-hosted software can be a bit of a mission (e.g. setting up WordPress for writing the GoatCounter plugin took some time, even with the Docker container).

                                          In many ways, GoatCounter is an open source project designed to be self-hosted first, and a “business” second.

                                          1. 1

                                            Would Offen be able to run in Google Cloud Run (serverless containers)? This would make it a lot more affordable than a Heroku dyno.

                                            Also it would be great if it could use a database like say DynamoDB, Firestore, or Fauna which would reduce operation costs even further.

                                            1. 2

                                              Hi, one of the Offen authors here.

                                              We’re far from being GCP experts, but if I understand Cloud Run correctly, you should be able to run our offen/offen image there if you configure it to be “horizontally scaling”. Unfortunately, we’re also not too knowledgeable on serverless databases, so I can’t tell you if the ones you mention would work, but Offen can connect to anything that speaks MySQL or PostgreSQL right now, so for example Google Cloud SQL should work fine. Our code has the hooks in place to cater for non-relational datastores too, but it’s not really on our near future roadmap to implement this ourselves.

                                              That being said, if you are looking for a cost-effective way of hosting Offen, you can definitely find “traditional” options that are cheaper than Heroku. For example, we are running our own instance on a single free tier t2.micro on AWS, but we have also tested it running on a t3.nano (which is USD 3.90 a month), and which worked perfectly fine under load and will give you a database (either SQLite or local Postgres / MySQL), free self-renewing SSL and basically everything else you need out of the box. In case you are interested this is the setup we use: https://github.com/offen/deployment. We also maintain a DigitalOcean image which I think would start at USD 5 a month.

                                              1. 2

                                                Thanks for the detailed response.

                                                Vultr (similar to DO) has VPSs as low as $2.5 per month. Do you think it could work there?

                                                https://www.vultr.com/products/cloud-compute/

                                                1. 3

                                                  Vultr come quite highly recommended; if it fits on a t3.nano, it’ll run fine (though you’ll want e.g. a free cloudflare account in front of it to speak ip4; the really cheap instances are ip6 only).

                                                  1. 2

                                                    I don’t know about all of the implications of that IPv6 limitation that is mentioned, but other than that I can’t see a reason why you couldn’t host it on such an instance. The specs should be enough for any lower traffic scenario. Looks like the IPv4 version of such an instance is $3.5 only too.

                                            1. 4

                                              Completely agree that client certs are long overdue. For people interested in the topic: maybe have a look at Redwax which is trying to make use of client side certificates a lot more convenient. It consists of a series of modules for the Apache HTTP Server that can be combined together to form various types of certificate authorities.

                                              And for an even more comprehensive approach, perhaps also TLS Pool could be interesting. This attempts to handle the whole TLS flow (including managing client side certificates) through a daemon, so normal applications don’t have to bother.

                                              1. 2

                                                Have a look at Offen, this might be what you are after.

                                                1. 1

                                                  As a user, a speedup is welcome. But from a more long term view, it might also be interesting to be able to replace bash with something like Colis, which has a formally verified interpreter.

                                                  1. 11

                                                    Shame that Huawei is government spyware; this seems really pretty and a good option for people.

                                                    1. 12

                                                      A hardware teardown would be interesting. Note that many people (even security aware ones) are still using laptops from another Chinese vendor Lenovo. I would not know what would make Huawei such a different case … though that argument can be taken two ways. Should we trust Huawei more, or Lenovo less?

                                                      1. 7

                                                        Should we trust Huawei more, or Lenovo less?

                                                        I’ve long since lost count of the number of times Lenovo’s been caught distributing spyware or firmware backdoors (I think I tuned out after the third instance).

                                                        You shouldn’t trust them less only because you shouldn’t trust them at all.

                                                        1. 2

                                                          Lenovo’s known spyware has all been at the OS level, right? Nothing that would survive a fresh reinstall?

                                                          1. 8

                                                            I believe there was a BIOS level one where chkdsk.exe was replaced from a copy in ROM. Dependent on Windows but still scary as hell.

                                                            Edit: https://www.theregister.co.uk/2015/08/12/lenovo_firmware_nasty/

                                                            1. 3

                                                              I believe at least one was in the BIOS vendor region that Windows automatically reinstalls (naively expecting the mechanism to be used to provide critical hardware drivers and not, yknow, spyware), and thus persisted across “clean” reinstalls.

                                                              Linux doesn’t voluntarily install unknown shit from ROM, but it gives me zero faith in Lenovo’s EFI to not be backdoored

                                                              1. 1

                                                                I think this mechanism was intended for “anti-theft” software. Windows gets drivers from Windows Update, all critical drivers are built-in anyway.

                                                          2. 9

                                                            I don’t think that any mass product thing is not spyware. World changed, everything is spying on you: hardware, software, sites or whatever else that has internet access. There is no way to escape this shit. You can just try some handmade notebooks like MNT Reform or Purism Librem 5 smartphone, use trusted Linux, TOR over VPN and of course refuse to use services from big companies like Google. But you still won’t get 100% guarantee that they didn’t track you by some suspicious fingerprint.

                                                          3. 15

                                                            Can we just write away everything Huawei makes as spyware? Should people assume that Intel processors and the Windows OS are all full of US-gov backdoors? I know there’s a bit more evidence against Huawei, but a blanket dismissal may not be the good approach.

                                                            1. 8

                                                              what is the evidence against huawei?

                                                              1. 1

                                                                In all honesty, I hadn’t done all that much research before writing this comment. I suppose the ambient FUD about Huawei got to me.

                                                                The most I can find is here. There was an accusation of a hacking attempt in India. I don’t know of anything else that’s close to a smoking gun.

                                                                1. 1

                                                                  i don’t blame you; it’s the impression that U.S. sources give.

                                                                2. 1

                                                                  This video about supply chain security mentions some interesting supply chain attacks that could happen anywhere. Bunnie:studios also gives an interesting overview of the open source casualty of the trade war as companies are coerced to stop doing business with Huawei.

                                                                  Yet here in the UK we have the Huawei Cyber Security Evaluation Centre (HCSEC) which is reported on annually (2015, 2016, 2019), so I’m not convinced Huawei is any worse than any other manufacturer…

                                                                3. 9

                                                                  Intel gets most of its direction outside the government. Huawei is basically controlled by China. If the NSA made computers, I wouldn’t trust them either. Thankfully that’s the closest our system gets to complete authoritarian control.

                                                                  1. 5

                                                                    They don’t have to make computers, they have TAO which has a history of supply chain attacks

                                                                    1. 8

                                                                      where do you get the perception that huawei is controlled by the chinese government, but intel is not controlled by the u.s. government?

                                                                      1. 3

                                                                        I don’t think that “controlled” is the right word for intel, but rather incentivised to cooperate when they want backdoors or stuff like that.

                                                                        1. 2

                                                                          conversely, is there evidence that huawei is “controlled” rather than “incentivized”?

                                                                          1. 5

                                                                            I wish I had a go-to explainer for this but I suggest you google around regarding how close Chinese companies work with the Party. I find it intriguing that people think our own conceptions of private property and how corporations work can be transplanted to a Chinese context with little to no caution. Read about their economic reforms under Deng Xiaoping to decrease the inferential gap a bit

                                                                            1. 1

                                                                              but you do have to be careful and look at quantitative measures because you can expect american sources to give a skewed impression

                                                                              1. 1

                                                                                What quantitative measures? I’m certainly not suggesting they read about the actual economics behind the reform (aside from a surface layer of motivating factors), but the social implications of what it even means to be a huge Chinese corporation.

                                                                                1. 1

                                                                                  the technique i would use to guard against bias would be to see if any claim about china could also be made about the U.S. from an inverted perspective. for example, chinese companies share user data with their government, and U.S. companies share data with their government.

                                                                                  this comparison could be refined by looking at how much data about the public is collected and shared, but obviously that data is not available. i admit that no available quantitative measures come to mind, so i suppose the upshot is that it’s hard to draw conclusions because so little is known.

                                                                                  1. 1

                                                                                    For the record, I do think that caution in the other direction is needed: I get annoyed when Americans decide to have their 10547th Reddit thread bashing the Chinese social credit system as if their own vast network of private aggregators wasn’t just as capable. However there are clear qualitative differences in how these two countries operate. China is actually, for real way more oppressive, and it’s not like the SCS shouldn’t be bashed.

                                                                                    1. 1

                                                                                      depends on the criteria you use. you could just as well say the U.S. is more oppressive because our incarceration rate is over 5 times that of china. or if you include the world population in those who you care about being oppressed.

                                                                  2. 6

                                                                    Considering how much computer hardware is manufactured in China, maybe it’s naive to think only finished end-user products have “government spyware” embedded in them.

                                                                    1. 5

                                                                      is there evidence or is this an a priori assumption that also applies to american companies?

                                                                      1. 1

                                                                        There is adequate evidence as I understand it.

                                                                        American companies exist outside The Party. Chinese “companies” have less freedom.

                                                                        We are spoiled in America by what’s closest to freedom the world has ever seen. We have free speech, for example, and I don’t know of other countries that don’t criminalize various speech for whatever reasons. We can’t imagine what government control looks like.

                                                                        1. 3

                                                                          We are spoiled in America by what’s closest to freedom the world has ever seen.

                                                                          The freedom to enter crippling debt over medical care. The freedom from equality of opportunity. The freedom from justice if you are poor or brown. The freedom to vote for one of two capital-approved candidates in most elections. The freedom to have your vote count more in some states than others.

                                                                          I’ll take my chances elsewhere.

                                                                          1. 2

                                                                            The freedom to enter crippling debt over medical care. The freedom from equality of opportunity. The freedom from justice if you are poor or brown. The freedom to vote for one of two capital-approved candidates in most elections. The freedom to have your vote count more in some states than others.

                                                                            These things are Not Good. Compared with the Chinese government’s neo-Gulag though, there is no question at all that the US is indescribably more free.

                                                                            1. 2

                                                                              The quoted statement is not “The USA has more freedom than China”

                                                                          2. 1

                                                                            There is adequate evidence as I understand it.

                                                                            can you say what the evidence is? or you just have a general understanding that there is some evidence somewhere?

                                                                        2. 2

                                                                          I guess we should completely forget that spyware thing and accept that all governments do that. Think Snowden.

                                                                          On the other hand we should understand China follows a completely different paradigm than western societies. Confucianism, where the whole society is integrated from family to business and government. Yes, it’s autocracy vs. democracy as we know.

                                                                          1. 6

                                                                            Hot take: ALL existing societies are oligarchies. Literally all of them. Representative “democracy” is not actually that democratic.

                                                                            1. 9

                                                                              There’s also always moisture in the air. Literally always. “Rain” is not actually that wet.

                                                                              1. 5

                                                                                Maybe, but at least representative democracy holds up free speech in many places. E.g. I can openly and loudle criticize the government or companies in a Western European country without repercussions. Try the same in China.

                                                                                1. 4

                                                                                  So, they’re all the same. Your views might be controversial over there to authorities. Even your alias given they’re a surveillance state. Since all countries are the same, how did yours treat you in the re-education center? And what steps are you taking to see news media and send your files through your country’s national firewall controlling what you see and hear?

                                                                                  1. 3

                                                                                    I did not say they’re all the same in all aspects. I said they’re all controlled by the rich and powerful, by the owner class.

                                                                                    Of course the US is more invested in the appearance of freedom. Western governments are smart enough to allow criticism that doesn’t have much impact. They use subtler, stealthier tactics (e.g. inserting feds into organizations and entrapping members) to disrupt activism, but they still do it.

                                                                                    1. 2

                                                                                      Now, I agree with all that. :)

                                                                            1. 17

                                                                              This kind of content would be much better as a blog post.

                                                                              1. 11

                                                                                I was thinking exactly the same. The world has really come to this point, where a platform with poor presentation is the preferred medium of expression simply due to its popularity (easier to draw eyeballs).

                                                                                  1. 1

                                                                                    That is awesome! Thanks for telling us about it!

                                                                                  2. 7

                                                                                    I stopped looking at it because of it being on twitter. It’s not meant for articles, and it’s silly to use it that way IMO.

                                                                                    1. 2

                                                                                      I agree in general, but well-structured Tweet threads like this are acceptable.

                                                                                      1. 12

                                                                                        For people not on Twitter “well-structured tweets” are actually rather uncomfortable.

                                                                                        Re the article itself: the amount of telemetry gathered by browsers is rather unsettling. Interesting read.

                                                                                        1. 3

                                                                                          I mean, I proposed a tag for “low-info” submissions like a single tweet - this was rejected. But I’ve seen a number of decent threads (like this one, and this one) so I’ve come to moderate my stance.

                                                                                          1. 3

                                                                                            Indeed, Tweet threading was one of the things that prevented me from adopting Twitter. I found it very hard to follow conversations.

                                                                                        2. 2

                                                                                          So if we say “The Medium is the Message,” what does that say about these silly long Twitter threads? Some of them contain a lot of debt, but they way they’re broken up changes the way we read and interoperate the message.

                                                                                        1. 3

                                                                                          BTW: VerifPal is produced by the original author of Noise Explorer featured earlier here on Lobste.rs .

                                                                                            1. 3

                                                                                              This is not the Noise protocol framework, but the Signal secure messaging protocol: https://signal.org/docs

                                                                                              Noise was authored by Trevor Perrin, one of the two co-authors for the Signal protocol.

                                                                                              Please review Chapter 5 of the Verifpal User Manual in order to better understand how this modeling was achieved in Verifpal.

                                                                                              1. 2

                                                                                                You are perfectly right. Thanks for pointing it out. Reading the manual right now!

                                                                                            1. 1

                                                                                              @nickpsecurity: I did not know that project, very interesting. I did learn quite some things that were useful from the article.

                                                                                              1. 1

                                                                                                Here’s you a survey paper (pdf) on secure compilation that gives you a lot of background and current information. They started trying to mathematically prove correctness of compilers. That was typically for one language, though, with interactions between them (eg C w/ assembly, Java w/ C FFI) causing problems. The cutting edge is “fully-abstract, secure compilation” that addresses that. An older technique that’s not as math-heavy was “type-based, certified compilation” (here) at FLINT. They had type systems at every level from high-level source to intermediate language to assembly language that could catch errors or ensure consistency.

                                                                                                So, there’s you some stuff to think about on that topic. That’s compilers. David A. Wheeler’s page on SCM security addresses securing repo’s, esp for distribution.

                                                                                              1. 2

                                                                                                Obviously, parsing XML is very much non-trivial.So the size of the code is likely to grow, because writing your own safe XML parser is probably more yak-shaving than would be healthy.

                                                                                                Do you intend to release it under some free license?

                                                                                                1. 4

                                                                                                  Both the xml parsing and http retrieval is done by libmrss (libnxml and libcurl among transitive dependencies).

                                                                                                  Yes, I intend to release it under GPL3 (as briefly mentioned in the README).

                                                                                                1. 1

                                                                                                  This is from 2013, so probably should be tagged as such.

                                                                                                  Note that it is a crying shame that a paper like this invites to go to a dedicated website, which is subsequently not maintained - so one has to hunt for the code:

                                                                                                  We encourage researchers to download STABILIZER to use it as a basis for sound performance evaluation: it is available at http://www.stabilizer-tool.org

                                                                                                  This is why we need places like Software Heritage!

                                                                                                  1. 3

                                                                                                    This reminds me a bit of the time when Microsoft gave custom CSS to users of the Opera browser. Ended up with a big fine from the European competition authority, though.

                                                                                                    1. 4

                                                                                                      I’m definitely curious what will come of this. As mentioned before, DeltaChat is a related effort. One thing chat over email does really well, is to be inconspicuous - there are many countries where traffic to a chat server is suspicious by itself. Obviously, this project is early days, but the larger idea works well for me.